Fix uncontrolled path expression in ExpandHomeDir (#816)

2024-12-21 16:38:23 +01:00 · 2024-09-24 16:19:59 -07:00 · 2024-09-24 16:19:59 -07:00 · a369381c4e
commit a369381c4e
parent acdc58877f
2 changed files with 3 additions and 2 deletions
--- a/pkg/wavebase/wavebase.go
+++ b/pkg/wavebase/wavebase.go
@ -59,7 +59,7 @@ func ExpandHomeDir(pathStr string) string {
 	if pathStr == "~" {
 		return homeDir
 	}
-	return filepath.Join(homeDir, pathStr[2:])
+	return filepath.Clean(filepath.Join(homeDir, pathStr[2:]))
 }

 func ReplaceHomeDir(pathStr string) string {
--- a/pkg/web/web.go
+++ b/pkg/web/web.go
@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"runtime/debug"
 	"strconv"
 	"time"
@ -223,7 +224,7 @@ func handleLocalStreamFile(w http.ResponseWriter, r *http.Request, fileName stri
 		// use the custom response writer
 		rw := &notFoundBlockingResponseWriter{w: w, headers: http.Header{}}
 		// Serve the file using http.ServeFile
-		http.ServeFile(rw, r, fileName)
+		http.ServeFile(rw, r, filepath.Clean(fileName))
 		// if the file was not found, serve the transparent GIF
 		log.Printf("got streamfile status: %d\n", rw.status)
 		if rw.status == http.StatusNotFound {